Model Based Development&Testing Matlab PDF

Yogananda Jeppu, Chethan CU Workshop at MIT Manipal Jan 2013
Model Based Development & Testing

of Safety Critical Control Systems
Yogananda Jeppu
2
Key Takeaway
An insight into the fascinating field of Model Based
development and testing of Safety Critical Control
Systems
A hands on experience on the technology that makes it
safer for people to fly
A set of Best Practices in this field gleaned from the use
of this type of testing on Aircraft Programs in India
3
Presenters
4
Our Background
Chethan C U is a BE from BIT, Bangalore
He joined Honeywell in 2008
He is with Moog Controls since 2009 working on Model
Based Development and Testing of Control Systems for
commercial aircrafts
He has contributed to the innovation activities at Moog
and we are pursuing this with college projects
He has qualified the Simulink Blocks for certification by
the Federal Aviation Administration (FAA), USA
His contribution has been to come with equations in Excel to
qualify the Control System Blocks
5
Our Background
Yogananda J eppu has 25 years experience in Control
System Design, 6DOF Simulation, Model Based
Verification and Validation, System Testing.
Has worked on the Indian Light Combat Aircraft Control
System and the Indian SARAS aircraft.
Currently working at Moog India, as a Software
Specialist, on V&V of Commercial Aircraft Control
System, System Testing and Matlab / Simulink
Qualification.
Also responsible for University Relations and Innovation
in the organization.
6
Topics
Safety Critical Control Systems Brief Overview
Basic Matlab and Simulink Hands on
Basic Control System A recap
What are these Models? a look at how they function
Algorithms for implementing them Hands on
How do we test these blocks? a block by block
approach Hands on
Best Practices
7
Tips
We are providing tips as these as we go along and hope
that it will be useful to you.
8
About MOOG
Our philosophy at Moog is a simple
one. We believe in the people who
work for us. We believe work can be a
rewarding and satisfying experience
for everyone in an atmosphere of
mutual trust and confidence.
Bill Moog, 1951
9
MOOG
Founded in 1951 by Bill Moog
Independent, international, medium-size company
Traded on the New York Stock Exchange
People-oriented environment
Reputation for high quality and technical excellence
10
MOOG Aircraft Facilities
East Aurora, NY
1690 Empl oyees
Sal t Lake Ci ty, UT
340 Empl oyees
Torrance, CA
400 Employees
Tewkesbury, UK
400 Empl oyees
Bagui o Ci ty, Phi l i ppi nes
1100 Empl oyees
Sales:
$673 M in FY08
Moog Indi a Tech Centre
140 Empl oyees
11
Moog India Technology
Centre

The MOOG India Technology Center (MITC) will be an Aircraft
Group Strategic Design Center with complete item-level design,
development, and qualification capabilities. David Ranson
12
MOOG India Technology Center
Design & Technology Center
5 Acres of Land
15000 Sq Ft of built up area
350 Employees
Mechanical, Electrical, Software Engineering Support
Aerospace Qualification Testing Lab
13
Moog proprietary and/or confidential data
MITC Software Group has a right
mix of Software and Hardware
engineers with expertise in
Software Development & VnV as
per DO-178B standards, Model
Based Control System Testing,
Test Real Time, Matlab/Simulink,
ARINC Protocols, Various
Processor Boards, Hardware
Abstraction Layer.
Software
Engineering
14
Boeing 747-8
Development and Verification and
Validation of the Platform
Software
Control System Model Based
Testing
Control System modules coding
BIT Tests Gulfstream 650
Fly-by-Wire Control System Model Based Testing
DO 178B Level A
Software
Matlab/ Simulink
Based
Requirements
15
Gulfstream 250
Flap Control System Model Based
Testing
System Level Testing
Airbus A 350
Model Development
Testing at Low and High Levels
Hardware Abstraction Layer
Development and Testing
16
A350 Spoiler Servo Exploded View
A350 Elevator Servo Assembly
V-Seal Test Fixture
Mechanical
Engineering
17
MITC Electrical Section has
expertise in Digital, Analog, Power,
Sensor & Motor. The Group
provides Library and Component
Engineering Support to all MOOG
design centers.
Expertise available on DO-254
Level A VnV for PLD .
Short stroke LVDT
Generic motor
(conceptual)
Long stroke LVDT
P30 Aileron motor
P30 HSTA Motor
Electrical
Engineering
18
Test Engineering
Communication Protocols, RTOS, Device Drivers
Simulation, GUI Design & Hardware Interfaces
Test & Measurement Equipments handling
Legacy test S/W Conversion
Data Reduction & Analysis
Qualification Testing
Build-to-Print Systems
Test Equipment Engineering &
Production
TE environment software
Test Program Set
Functional Verification and
ATP/ESS / Qualification
Self Test and Calibration
Technology Specialization
B
r
e
a
d
t
h

o
f

S
u
p
p
o
r
t

O
f
f
e
r
i
n
g
s

TE Sustenance & Support
19
Safety Critical Applications
Aviation in itself is not inherently dangerous. But to an even greater degree than the sea,
it is terribly unforgiving of any carelessness, incapacity or neglect.
Captain A. G. Lamplugh,
20
Safety Critical Control Systems
Safety Critical Application:
An application where human safety is dependent upon the
correct operation of the system
Examples
Railway signaling systems
Medical devices
Nuclear controllers
Aircraft fly-by-wire system
21
Railway Signaling Systems
Andreas Gerstinger, "Safety Critical
Computer Systems - Open Questions
and Approaches",
Institute for Computer Technology
February 16, 2007
22
Reactor Core Modeling
Courtesy: J in J iang, Research in I&C
for Nuclear Power Plants at the
University of Western Ontario,
23
Streamliner Artificial Heart
J ames Antaki, Brad E. Paden, Michael J .
Piovoso, and Siva S. Banda, "Award
Winning Control Applications", IEEE
Control Systems Magazine December
2002
Programmable ECUs
Peter Liebscher, "Trends in Embedded
Development", http://www.vector-
worldwide.com/portal/medien/cmc/press/PSC/Tren
dsEmbedded_AutomobilElektronik_200602_Press
Article_EN.pdf
24
25
Safety Standards
ISO9001 Recommended minimum standard of quality
IEC1508 General standard
EN50128 Railway Industry
IEC880 Nuclear Industry
RTCA/DO178B Avionics and Airborne Systems
MISRA Motor Industry
Defense Standard 00-55/00-56
26
Safety Critical Flight Controls Marvel
A longitudinally unstable
platform
Performance and Stability
ensured by the a Fly-by-
Wire Control System
designed, implemented
and tested in India.
Used Model Based Test
Approach for Certifying
the Aircraft for Flight
Worthiness
Accidents Still Happen
That is very fine; but it is
impossible to make the men perfect;
the men will always remain the
same as they are now; and no
legislation will make a man have
more presence of mind, or, I
believe, make him more cautious;
and besides that, the next time such
an accident occurs, the
circumstances will be so different,
that the instructions given to the
men, in consequence of the former
accident, will not apply.
Isambard Kingdom Brunel
27
Automobile
"The complaints received
via our dealers center
around when drivers are
on a bumpy road or frozen
surface," said Paul
Nolasco, a Toyota Motor
Corp. spokesman in
J apan. "The driver steps
on the brake, and they do
not get as full of a braking
feel as expected. -
February 04, 2010
28
Automobile
J apanese carmaker Honda has recalled more than 25
lakh cars across the world to rectify a software glitch
62,369 vehicles in 2007: the antilock brake system (ABS)
control module software caused the rear brakes to lock
up during certain braking conditions. This error resulted
in a loss of vehicle control causing a crash without
warning.
5,902 vehicles in 2006: under low battery voltage
condition the air bag control unit improperly sets a fault
code and deactivates the passenger side frontal air bag.
The airbag subsequently would not deploy in the event of
a collision.
29
Nuclear
Iran's first nuclear power plant
has suffered a serious cyber-
intrusion from a sophisticated
worm that infected workers'
computers, and potentially
plant systems. Virus designed
to target only Siemens
supervisory control and data
acquisition (SCADA) systems
that are configured to control
and monitor specific industrial
processes (Wiki) - September
27, 2010
30
Nuclear
On March 7, 2008 there was a
complete shutdown (Scram) of
the nuclear core at Unit 2 of the
Hatch nuclear power plant near
Baxley after a Southern
company engineer installed a
software update. The software
reset caused the system to
detect a zero in coolant level of
the radioactive nuclear fuel
rods starting this unscheduled
scram. Loss $ 5 million.
31
Space
The Accident Investigation
Board concluded the root
cause of the Titan IV B-32
mission mishap was due to the
failure of the software
development, testing, and
quality/mission assurance
process used to detect and
correct a human error in the
manual entry of a constant. The
entire mission failed because of
this, and the cost was about
$1.23 billion.
32
Aircraft
A preliminary investigation
found that the crash was
caused primarily by the
aircraft's automated
reaction which was
triggered by a faulty radio
altimeter, which had failed
twice in the previous 25
hours. This caused the
autothrottle to decrease
the engine power to idle
during approach. - 25
February 2009
9 Fatalities, 117 Injured
33
34
Railway
The J une 2009
Washington Metro
train collision was a
subway train-on-train
collision. A
preliminary
investigation found
that, signals had not
been reliably
reporting when that
stretch of track was
occupied by a train.
9 Fatalities, 52 Injured
35
36
Medical
The maker of a life-saving radiation therapy device has
patched a software bug that could cause the systems
emergency stop button to fail to stop, following an
incident at a Cleveland hospital in which medical staff had
to physically pull a patient from the maw of the machine.
The bug affected the
Gamma Knife, that
focuses radiation on a
patients brain tumor
while leaving
surrounding tissue
untouched. - October
16, 2009
37
Medical
28 radiation therapy patients
were over exposed to
radiation at the National
Oncology Institute (Instituto
Oncolgico Nacional, ION) in
late 2000 and early 2001. 23
of 28 at risk patients died of
this due to rectal
complications.
A software used to compute the dosage could not detect the
erroneous inputs and gave 105% more dosage values
38
Standards
If you are looking for perfect safety, you
will do well to sit on a fence and watch
the birds; but if you really wish to learn,
you must mount a machine and become
acquainted with its tricks by actual trial.
Wilbur Wright
39
Aerospace Standard DO-178B
Called Software Considerations in Airborne Systems and
Equipment Certification
Published by RTCA Inc (Radio Technical Commission for
Aeronautics a not-for-profit corporation sponsored by
Federal Aviation Administration, USA)
It is a document that addresses the life cycle process of
developing embedded software in aircraft systems.
It is only a guidance document and does not specify what
tools and how to comply with the objectives
It is a commonly accepted standard worldwide for
regulating safety in the integration of software in aircraft
systems and insisted by the certifying authorities like FAA
40
Five levels of software have been defined
Software
Criticality
Level Probability
FAR/JAR
Remarks
Catastrophic A <10
-9
Failure may cause a crash. Error or loss of critical
function required to safely fly and land aircraft.
Hazardous B <10
-7
Failure has a large negative impact on safety or
performance. Passenger injury.
Major C <10
-5
Failure is significant, but has a lesser impact than a
Hazardous failure (leads to passenger discomfort
rather than injuries)
Minor D <10
-3
Failure is noticeable, but has a lesser impact than a
Major failure (causes passenger inconvenience)
No Effect E Any
Failure has no impact on safety, aircraft operation, or
crew workload.
41
Probability Vs Consequence
42
Defines a list of objectives with and without independence
for the various levels of software
Software
Levels
Number of Objectives
With Without Total
A 25 41 66
B 14 51 65
C 2 55 57
D 2 26 28
Process Planning Development Verification Config .
Control
Quality
Assurance
Certification
Liaison
Total
Objectives 7 7 40 6 3 3 66
43
DO-178B Traceability
All the software lifecycle processes are linked in any
given application i.e. the lifecycle activities must be
traceable
Test Results
Test cases and
Procedures
Code
Design
Requirements
Linkages
Reviews ensure that the
results are traceable to Test
procedures and they in turn
are traceable to the Design
and High Level
Requirements
Reviews ensure that the linkages
are correct and traceable
44
Tips
45
DO-178B Certification
Certification - legal recognition by the certification
authority that a software product complies with the
requirements
Certification is done on the individual application of the
product
Coding practices must be certified to ensure things like
"dead code" are not allowed.
Certification requires that 'full testing' of the system and
all of it's components (including firmware) be done on the
target platform in the target environment.
Certification requires code testing at the MCDC level.
Coverage proof to be provided.
46
Tips
47
Tips
48
Tips
49
Matlab
Although Matlab is now a full fledged
Technical Computing Environment,
it started in the late 1970s as a simple
Matrix Laboratory. Cleve Moler
50
51
What is Matlab?
Software developed by Mathworks, Inc. since 1984
Stands for MATrix LABoratory
The current version is MATLAB R2012a
Primarily an optimized software package for matrix
operations
Behaves like a complex functional calculator or as a
programming language
52
Parts of Matlab
High Level Development Environment
Programming Language
Graphics
Toolboxes
Application Program Interface
53
Matlab Toolboxes
Several toolboxes available for specialized applications
like
Control System Design
Signal Processing
Optimization
Simulink
Real Time Workshop
So on .
54
History of Matlab
55
History of Matlab
Ancestral software to MATLAB are LINPACK and
EISPACK Fortran routines
MATLAB was invented in the late 1970s by Cleve
Moler, then chairman of the computer science
department at the University of New Mexico. It was a
Fortran version.
Designed it to give his students access to the Fortran
routines
It found a strong audience within the applied
mathematics community
56
End of History
J ack Little, an engineer, was exposed to it when Moler
visited Stanford University in 1983.
Recognizing its commercial potential, he joined with
Moler and Steve Bangert to rewrite the package in C
It was lovingly known as J ACKPAC
Little's specialty was control system design and the
community adopted it
57
Matlab Basics
58
Matlab Window
Command
Window
History
Directory
59
Matlab Window
Array Editor
Figure
Workspace
60
Matlab as Calculator
-->basic = 30000;perks = 20000; transport = 1200; total =
basic+perks+transport; tax = 0.3*total
tax =
15360.
>> 2+2
ans =
4
61
Matlab as Calculator
Sin
(tab)
62
Getting Around
>> cd 'C:\Documents and
Settings\jyoganan\Desktop\MIT_Manipal\workshop'
exit , quit
! windows_command (Try !notepad.exe)
help
clear all
close all
version
dir ls
who, whos
63
Getting around some more
what (list of matlab specific files in the directory)
which (tells you which function is called )
which fft
built-in (D:\Program
Files\MATLAB\R2007a\toolbox\matlab\datafun\@logical\f
ft) % logical method
save vals.dat a b
load vals.dat a b
diary filename
diary off
format
why
64
Exercise
Explore Help Functionality
help
save
load
diary
format
who
whos
what
which
!
65
Mathematics & Matrices
66
Matlab Variables
Starts with a alphabet
Length restrictions 63 chars, truncates the name after
that
Case sensitive
Variable is by default double precision matrix
Variables can be character, of any precision, logical
Legal Names - averageCost, average_cost, Left2Pay,
n5, N5
Illegal Names - average-Cost, average cost, 2pay, %x,
@sign
67
Special Variables
pi
i, j
eps (2.220446049250313e-016)
NaN (0/0)
inf
realmin
realmax
Mathematical function names sin, cos, ...
68
Entering Numeric Arrays
a=[1 2;3 4]
a =
1 2
3 4
b=[-2.8, sqrt(-7), (3+5+6)*3/4]
b =
-2.8000 0 + 2.6458i 10.5000
b(2,5) = 23
b =
-2.8000 0 + 2.6458i 10.5000 0 0
0 0 0 0 23.0000
NOTE:
1) Row separator
semicolon (;)
2) Column separator
space OR comma (,)
Use square
brackets [ ]
This image cannot currently be displayed.
69
The Matrix
4 10 1 6 2
8 1.2 9 4 25
7.2 5 7 1 11
0 0.5 4 5 56
23 83 13 0 10
1
2
Rows (m) 3
4
5
Columns
(n)
1 2 3 4 5
1 6 11 16 21
2 7 12 17 22
3 8 13 18 23
4 9 14 19 24
5 10 15 20 25
A =
A (2,4)
A (17)
Rectangular Matrix:
Scalar: 1-by-1 array
Vector: m-by-1 array
1-by-n array
Matrix: m-by-n array
70
Entering Numeric Arrays
Scalar expansion
Creating sequences:
colon operator (:)
Utility functions for
creating matrices.
w=[1 2;3 4] + 5
w =
6 7
8 9
x = 1:5
x =
1 2 3 4 5
y = 2:-0.5:0
y =
2.0000 1.5000 1.0000 0.5000 0
z = rand(2,4)
z =
0.9501 0.6068 0.8913 0.4565
0.2311 0.4860 0.7621 0.0185
71
Numerical Array Concatenation
a=[1 2;3 4]
a =
1 2
3 4
cat_a=[a, 2*a; 3*a, 4*a; 5*a, 6*a]
cat_a =
1 2 2 4
3 4 6 8
3 6 4 8
9 12 12 16
5 10 6 12
15 20 18 24
Use [ ] to combine
existing arrays as
matrix elements
Row separator:
semicolon (;)
Column separator:
space / comma (,)
Use square
brackets [ ]
Note:
The resulting matrix must be rectangular
4*a
72
Deleting Rows and Columns
A=[1 5 9;4 3 2.5; 0.1 10 3i+1]
A =
1.0000 5.0000 9.0000
4.0000 3.0000 2.5000
0.1000 10.0000 1.0000+3.0000i
A(:,2)=[]
A =
1.0000 9.0000
4.0000 2.5000
0.1000 1.0000 + 3.0000i
A(2,2)=[]
??? Indexed empty matrix assignment is not allowed.
73
Matrix Multiplication
a = [1 2 3 4; 5 6 7 8];
b = ones(4,3);
c = a*b
c =
10 10 10
26 26 26
[2x4]
[4x3]
[2x4]*[4x3] [2x3]
a(2nd row).b(3rd column)
a = [1 2 3 4; 5 6 7 8];
b = [1:4; 1:4];
c = a.*b
c =
1 4 9 16
5 12 21 32
c(2,4) = a(2,4)*b(2,4)
Array Multiplication
74
Math Operations
+ Addition
+ Unary plus
- Subtraction
- Unary minus
* Matrix multiplication
^Matrix power
.* Array multiplication (element-wise)
.^Array power (element-wise)
inv()
75
Matrix Creation & Manipulation
transpose
reshape, matrix(a,3,2)
eye zeros ones rand
r=rand(2,2,2,2) multidimensional array

linspace logspace
length
size
exist, exists
76
Mathematical Functions
trigonometric
sqrt
max min
mean median
std
sum prod
diff
find
sort
gradient
77
Exercise
Make an array of 100 rows and 3 cols of random number
Make a time vector from 0 to 10 seconds with an
increment of 0.01 and assign it to a variable time
Make a vector x which has a sine waveform of 10 hz
and a bias of 10, amplitude of 20
Make a vector y of all zeros and pulse of 1 for 3 frames
i.e. 100,101,102 frame numbers
Make a vector z of all zeros and pulse of 1 from time 1.2
to 4.21 sec
Make a vector x of sine wave with random frequency
(0.1 to 2.0), amplitude (-2.0 to 2.0) and bias (-10 to 10)
78
Programming
79
Script vs Function
Workspace
Script executes in workspace
Interpreted
Function taken in variables.
Internal variables local
Require global variables
80
Editor
81
Script File
x=[1:10]
[m,n] = size(x);
if m == 1
m = n;
end
y = sum(x)/m
82
Function File
function y = mean (x)
% MEAN Average or mean value.
% For vectors, MEAN(x) returns the mean value.
% For matrices, MEAN(x) is a row vector
% containing the mean value of each column.
[m,n] = size(x);
if m == 1
m = n;
end
y = sum(x)/m;
Output Arguments Input Arguments Function Name
Online Help
Function Code
83
For Loop
k=2;
a = zeros(k,k) % Preallocate matrix
for m = 1:k
for n = 1:k
a(m,n) = 1/ (m+n -1);
end
end
84
Switch Statement
method = 'Bilinear';
switch lower(method)
case {'linear','bilinear'}
disp('Method is linear')
case 'cubic'
disp('Method is cubic')
otherwise
disp('Unknown method.')
end
Method is linear
85
If Statement
if ((attendance >= 0.90) & (grade_average >= 60))
pass = 1;
else
pass = 0;
end
86
While Loop
eps = 1;
while (1+eps) > 1
eps = eps/ 2;
end
eps = eps*2
87
Exercise
Write a function to generate a random vector of 1s and
0s
Use a for loop
Use if then else
Use rand function
Use sort
Create a sorted vector T of 10 elements with values 0 to 10.
Create a time vector t, 0 to 10 step 0.01
Create a vector of length t of zeros
Assign the first element with a random 1 or 0
Assign other elements toggling 1 to 0 and 0 to 1 at T points
88
Exercise
Write a function to compute the error between two
signals and generate a pass fail based on threshold
Test this function
Err_sig =abs(A-B)
If A >1 then Err_sig =Err_sig/(abs(A))
If Err_sig >Threshold then declare fail
Function A =passfail(A,B,Threshold)
A =1 pass, A=0 fail
89
Exercise
Make a frequency scale of length equal to time signal in
the previous exercise from 0 to 100 Hz
Make a frequency scale from 0.1 to 1000 rad/sec in a log
scale
Make a complex signal which is a product of a 1 hz, 3 hz,
10 hz signal of amplitude 2, 3, and 4 respectively for the
time vector time. Find the max and min values in the
zone 1.6 to 2.3 seconds.
Generate a ramp signal from 0 to 100 for 1000 points.
Make a time signal with sampling 0.01 seconds for this
length. Find the slope using gradient
90
Graphics
91
Plotting
t=1:10;y=rand(1,10);plot(t,y);shg
92
Plot Commands
figure;plot(t,x,k,t,y,b,t,z,r);grid
legend
title
xlabel
ylabel
axis
hold
plotyy
93
Plot More Commands
text
gtext
ginput
subplot
gcf
print
save
94
Exercise
Plot the waveforms generated during the earlier exercise
and make a neat presentation
95
Polynomials
96
Polynomial
The polynomial
is written as a = [10 12 0 15.5 -20]
Roots(a) gives the roots of the polynomial
-1.9110
-0.0209 + 1.1789i
-0.0209 - 1.1789i
0.7528
97
Polynomial
Use conv(a,b) to multiply two polynomials
Use deconv(a,b) to divide two polynomials
a=[1 3];b=[1 3 4];c= conv(a,b)
c=[1 6 13 12]
deconv(c,a) => [1 3 4]
polyval(p,x) gives the value of the polynomial
98
Simulink
99
Definitions
Modeling = procedure to simplify investigation of their
dynamic behavior
Simulation = imitation of dynamic behavior of real
systems
Analysis = relating system behavior to a changing
variable or parameter
Diagnostics = indicating the reason for a system failure
100
Simulink
Graphical programming language
Extension of Matlab
Powerful modeling tool
Control systems
Transfer functions based
Vehicle and Aerospace
Code generation
Verification and Validation
101
System
Uses a icon-driven interface for the construction of a
block diagram representation of a process.
A block diagram is simply a graphical representation of
a process (which is composed of an input, the system,
and an
output).
102
Invoking Simulink
103
Simulink Blocks
104
Sources
Sources library contains the
sources of data signals to be
used in the dynamic system
simulation.
E.g. Constant signal, signal
generator, sinusoidal waves,
step input, repeating
sequences like pulse trains
and ramps etc.
105
Sinks
Sinks library contains
blocks where the signal
terminates. You may
store data in a file,
display it. Use the
terminator block to
terminate unused
signals. STOP block is
used to stop the
simulation if the input to
the block is non-zero.
106
Continuous & Discrete
Analyze your
dynamic system
as continuous or
discrete. Simulink
lets you
represent your
system using
transfer
functions,
integration
blocks, delay
blocks etc.
107
Non Linearity
108
Shamelessly Picked From
Bruce Mayer, PE
Licensed Electrical &
Mechanical Engineer
BMayer@ChabotCollege.edu
109
Simulink - 01 ( ) 0 0 sin 10 = = y t
dt
dy
Fire Up
Simulink
Library
Browser
110
Simulink - 02 ( ) 0 0 sin 10 = = y t
dt
dy
Open Model
Window/File
111
Simulink - 03
The Untitled
Model
Window
( ) 0 0 sin 10 = = y t
dt
dy
112
Simulink - 04 ( ) 0 0 sin 10 = = y t
dt
dy
Select Sources Library
Drag SineWave icon to Model
Window
113
Simulink - 05 ( ) 0 0 sin 10 = = y t
dt
dy
DoubleClick SineWave icon to
Open Block-Parameters Dialog
Box
No Changes
Needed
114
Simulink - 06 ( ) 0 0 sin 10 = = y t
dt
dy
Select Math Ops Library
Drag Gain icon to Model Window
115
Simulink - 07 ( ) 0 0 sin 10 = = y t
dt
dy
DoubleClick Gain icon to Open
Block-Parameters Dialog Box
Set Gain
to 10
116
Simulink - 08 ( ) 0 0 sin 10 = = y t
dt
dy
Set IC
to Zero
Select Continuous Library
Drag Integrator Block to
Model Window
2X-Click the Icon to Open
the Dialog Box
Set the IC to Zero
117
Simulink - 09 ( ) 0 0 sin 10 = = y t
dt
dy
Select
SinksLibrary
Drag Scope Block
to Model Window
118
Simulink - 10 ( ) 0 0 sin 10 = = y t
dt
dy
Connect The Block
Outputs & Inputs
Turns to Cross
when Clicked
119
Simulink - 11 ( ) 0 0 sin 10 = = y t
dt
dy
Open the
Config
Parameters
Dialog Box
Set 13s Stop-
Time
120
Simulink - 12 ( ) 0 0 sin 10 = = y t
dt
dy
Start Simulation
Opens the Scope
Display
Wait for Bell to
Sound
2X Click Scope
Click Binocs to
AutoScale
121
Simulink - 13 ( ) 0 0 sin 10 = = y t
dt
dy
Simulation Result
( ) ( )
}
=
=
=
t z
z
zdz y t y
0
sin 10 0
122
Simulink - 14 ( ) 0 0 sin 10 = = y t
dt
dy
Export Simulation to
Workspace for Plotting
Add/Subtract icons
2X-Click To
WorkSpace icon
123
Simulink - 15 ( ) 0 0 sin 10 = = y t
dt
dy
Export Result Plot the Result
t
( ) t y
0 2 4 6 8 10 12 14
0
2
4
6
8
10
12
14
16
18
20
t
y
Example 9.2-3: Soln to dy/dy = 10sin(t) y(0) = 0
>> plot(y(:,1),y(:,2)), xlabel('t'), ylabel('y'), grid
124
Simulink Exercise
Make a model by having 3 inputs A,B, C and two outputs
O1, O2. O1 = (A+B-C) * 3. If O1 > 10 then O2 = 10 else
5. Use from workspace and to workspace. Plot the
results
Make a model with 4 inputs A,B,C,D and 1 output O1. If
(A AND B) XOR C then O1 = D else O1 = (D+10.5)*10
Connect a discrete TF to a input and see its step
response in a scope. Use from workspace and to
workspace. Plot the results
Simulink Exercise
Use an integrator to count 1 second time
125
Unit Delay
z
1
Signal Builder 5
Signal 1
Signal Builder 4
Signal 1
Signal Builder 2
Signal 1
Signal Builder 1
Signal 1
Signal Builder
Signal 1
Scope1
Scope
Discrete-Time
Integrator 1
K Ts
z-1
x
o
Discrete-Time
Integrator
K Ts
z-1
x
o
Compare
To Constant
>=1
Simulink Exercise
Use Mux Demux blocks
Use of saturation block
Use a lookup table 1 D
Use the matlab function interp1
Use a lookup table 2 D
Use the matlab function interp2
Use the matlab function filter with the Discrete Filter
Simulink block. Compare results
126
127
Control Systems
I found a letter from my mother after
20 years between the pages of BC
Kuo An Engineer
What is stability
128
Inherent Stability
This is Controls
129
Stability
C
o
n
t
r
o
l
l
e
r

O
/
P
Stable Unstable
Neutrally Stable
130
Controls is not new
131
285-222 BC
Ktesibios water clock
The first feedback system
developed by humans
Designed by Ktesibios, a
barber, in Alexandria
Greece around 250 BC
The flow of water in the
second tank is regulated by
a float. This maintains the
height and thus provides a
constant flow of water
132
Simulink model of the clock
133
Simulation results
134
0 20 40 60 80 100
0
0.2
0.4
0.6
0.8
1
Simulation of Ktesibios Water Clock
T
a
n
k
1

I
n
l
e
t

V
a
l
v
e
0 20 40 60 80 100
0
5
10
15
Simulation Time
T
a
n
k
1

W
a
t
e
r

L
e
v
e
l

Water Level
Set Point
Simulation results
135
0 20 40 60 80 100
0
5
10
15
20
Simulation of Ktesibios Water Clock
T
i
m
e

I
n
d
i
c
a
t
e
d

With Feedback
Without
0 20 40 60 80 100
0
0.1
0.2
0.3
0.4
Simulation Time
R
a
t
e

o
f

C
h
a
n
g
e

With Feedback
Without
What is control system
Feedback
Control
The milk
better not
boil
&^&%$$
136
Concept of delay
Feedback
Control
137
Concept of gain
Feedback
Control
138
Simulation
139
Demonstration of gain FEEDBACK01
Simulation
140
Demonstration of delay
FEEDBACK02
Causes for gain and delay
Unmodeled dynamics
External changes like speed and height in aircraft. The
aircraft characterization and response varies with these
two important factors
Changes in load different inertia
Delay due to processing
Delay due to communication
Delays due to non linearity
Nature
141
Modeling systems
142
The Laplace
S means differentiation
1/S means integration
Transfer function is the output to input relation
TF
Input
Output
Output
Input
= TF
143
Laplace transform
144
Transfer function
145
0 0.5 1 1.5 2 2.5 3
0
0.2
0.4
0.6
0.8
1
1.2
Control performance
146
Control performance
147
PID effect - Increasing
148
C-Loop
RESPONSE
RISE TIME OVERSHOOT SETTLING
TIME
S-S ERROR
Kp Decrease Increase Small
Change
Decrease
Ki Decrease Increase Increase Eliminate
Kd Small
Change
Decrease Decrease Small
Change
Closed Loop System
Process : A system to be controlled
Controller : Provides the excitation for the plant; (PID)
Designed to control the overall system behavior
The characteristics of the each of the controller should be to obtain
a desired response from the closed loop system.
149
PID Controller
150
Demonstration of
PID FEEDBACK03
Steps to tune PID
Obtain an open-loop response and determine what
needs to be improved
Add a proportional control to improve the rise time
Add a derivative control to improve the overshoot
Add an integral control to eliminate the steady-state error
Adjust each of Kp, Ki, and Kd until you obtain a desired
overall response.
151
Design Exercise
Design a controller for the black box
152
We want this
153
0 5 10 15 20 25 30 35 40
-1
-0.8
-0.6
-0.4
-0.2
0
0.2
0.4
0.6
0.8
1
Time (s)
M
a
g

Input
Output
Find the plant parameters
t=0:0.01:10;y = chirp(t,0.01,10,50,'logarithmic');
y=[zeros(6000,1);y';zeros(6000,1)];
plot(y);shg
y1=y;
y=y1*0.1+5;
plot(y);shg
y=[linspace(0,5,300)';y];
plot(y)
t=0:0.01:(length(y)-1)*0.01;t=t';
plot(t,y);shg; T=t;INP=y;
154
Input signal
155
0 20 40 60 80 100 120 140
0
1
2
3
4
5
6
62 64 66 68 70 72
4.85
4.9
4.95
5
5.05
5.1
5.15
Output processing
t=0:0.01:time(end);t=t';
inp=interp1(time,input,t);
out=interp1(time,simout,t);
out1=interp1(time,simout1,t);
plot([inp out out1]);shg
Simulink with variable time step gives output as different

time points. Interpolation gets all this at equal time
points.
156
Compute response
fi=fft(inp(2000:end));
fo=fft(out(2000:end));
fo1=fft(out1(2000:end));
trf=fo./fi;
tfr1=fo1./fi;
freq=linspace(0,100,length(trf));
load freres T INP mag ph freqx
plot(freqx,mag,freq,abs(trf),freq,abs(trf1));shg
157
Time Plots
158
6200 6400 6600 6800 7000 7200 7400 7600
0
1
2
3
4
5
Frequency response
159
5 10 15 20 25 30
0
5
10
15
20
Freq (Hz)
M
a
g

Actual
NL Plant
Linear
fminsearch
Help Fminsearch
X = FMINSEARCH(FUN,X0) starts at X0 and attempts to
find a local minimizer X of the function FUN.
Example
c = 1.5; % define parameter first
x = fminsearch(@(x) myfun(x,c),[0.3;1])
160
Fit a Transfer Function
function f = modelx(X)
global freqmag
X=abs(X);
z=[-X(1);-X(2);-X(3)+i*X(4);-X(3)-i*X(4)];
p=[-X(5)-i*X(6);-X(5)+i*X(6);-X(7)+i*X(8);-X(7)-i*X(8)];
k=X(9);
[n,d]=zp2tf(z,p,k);
[m1,p1]=bode(n,d,2*pi*freq);
plot(freq,[mag m1]);title(num2str(X));shg
f=norm(mag-m1);
161
This will help
X=[
3.2633e-001
1.0671e+002
7.3886e+002
5.6889e+002
2.2296e+001
2.6413e+001
2.2333e+001
1.2414e+002
9.5887e-002];
162
Design a controller
Homework
Experiment with SISOTOOL
This plant will not work with just PID. It may require a lead lag
filter also.
163
164
Control Algorithms
DTF-I-1S1
Num Coeff A 0 =Nz(1)
Num Coeff A 1 =Nz(2)
Den Coeff B 1 =Dz(2)
Sample Time =DT
Discrete Transfer Function
I order 1 State
Out
Input
Init
Safe
ns=[A1 A2];
ds=[1 B2];
[Nz,Dz]=c2dm(ns,ds,DT,'tustin');
sim('digital1order');
INP =inp(1);
out =inp(1);
po=out;
Pi=INP;
B=[];
for i =1:length(o)
INP=inp(i);
if init(i) >0
INP =inp(i);
out =inp(i);
po=out;
Pi=INP;
else
out=Nz(1)*INP+Nz(2)*Pi-Dz(2)*po;
po=out;
Pi=INP;
end
B=[B;[INP out]];
end
o1=B(:,2);
err=abs(o-o1);
iie=find(abs(o >100));
err(iie)=abs(err(iie)./o(iie));
165
S Domain First Order Filter
s I
O
+
=
1
1
I O s O = +
I O O = +
-
O I
O

=
-
-
O
}
1
-
I
O
O
Make a Simulink Block
166
Discretization
Tustin approximation
(Bilinear)
Tustin with
Prewarping
Better (freq. resp.
matches) ill-defined at and
close to z = -1
Ensures frequency
response matches at
critical freq
Transfer the S Domain to Z Domain
167
First Order Filter
The first order filter is represented by the following
transfer function
Nz and Dz are computed using the Tustin Transform
The term z-1 denotes the previous value
.
) 2 ( ) 1 (
) 2 ( ) 1 (
1
1
+
+
=
z Dz Dz
z Nz Nz
I
O
.
1
) 1 ( ) / 2 (
+
+
=
z
z T
s
168
Matlab Commands
sys = tf(1,[0.1 1]), Tc = 0.1
Transfer function:
1
---------
0.1 s + 1
ltiview
169
Bode Plot
170
Time Response
171
Discretization
sysd = c2d(sys,0.01,'tustin')
Transfer function:
0.04762 z + 0.04762
-------------------
z - 0.9048
Sampling time: 0.01
[nz,dz]=tfdata(sysd,'v')
nz = 4.761904761904762e-002 4.761904761904762e-002
dz = 1.000000000000000e+000 -9.047619047619048e-001
172
Bode Plot
173
Time Response
174
First Order Filter
If init > 0
Set the previous values of output and input, to input
Set output equal to input
Else
Compute using the following equation
out=Nz(1)*inp+Nz(2)*pri-Dz(2)*pro;
End
DTF -I-1S 1
Num Coeff A 0 = Nz (1)
Num Coeff A 1 = Nz (2)
Den Coeff B 1 = Dz (2)
Sample Time = DT
I order 1 State
Out
Input
Init
Safe
175
Importance of Initialization
Initial transients are avoided
A constant input will give a constant output. The filter
acts as gain
The system comes up very fast and this is very important
in a safety critical system
Demonstration of Initialization
Make a Simulink Block
Make Matlab Code
176
Second Order Filter
The Second order filter is represented by the following
transfer function
Nz and Dz are computed using the Tustin Transform
The term z-1 denotes the previous value and z-2 denotes
previous to the previous value
.
) 3 ( ) 2 ( ) 1 (
) 3 ( ) 2 ( ) 1 (
2 1
2 1

+ +
+ +
=
z Dz z Dz Dz
z Nz z Nz Nz
I
O
177
Second Order Filter
If init > 0
Set the all previous values of output and input to input
Set output equal to input
Else
Compute using the following equation
out=Nz(1)*inp+Nz(2)*pri+Nz(3)*ppri
-Dz(2)*pro-Dz(3)*ppro;
End
Demonstration of second order filter
DTFB-II-2S1
Num Coeff A 0 =a1
Num Coeff A 1 =a2
Num Coeff A 2 =a3
Den Coeff B 1 =b2
Den Coeff B 2 =b3
Sample Time =DT
Bilinear II Order 2 State
Out
Input
Init
Safe
178
Use of Filters in Control Systems
Normally used to reduce noise
Filter out high frequency components of a system so that
it behaves in a slower manner. i.e. It does not respond
very fast to the changing input
To modify the response of the output to transients
It could be a lead/lag filter or a washout filter
Second order filters are normally used as notch filters to
cut out unwanted frequencies.
The second order filters introduce additional phase lag in the
system and can cause erosion of margins. They have to be used
with care
179
Latches
These are primarily flip flops used in the digital circuits
In software latches come in basically two flavors Set
Priority and Reset Priority
Latches are used to latch a failure in system. It retains
its set value and can only be reset by sending a 1 to the
reset input
In set priority the set signal is processed first and if it is a
1 the latch is set. In reset priority the reset input is
processed first.
180
Latches
Inputs : S,R
Output =Q
If (S==1)
Q =1
Else if (R==1)
Q =0
Else
Q = prev Q
Set Priority
Out
Set *
Reset
Safe
181
Saturation
These blocks are the most important of the blocks in a
safety critical control system
They limit the inputs and outputs signals of the system.
This ensures that the system does not get large values
when a sensor fails due to any reason.
Limits can be variable based on flight conditions. A
designer would like to prevent large movements very
close to the ground but when the aircraft is high above in
the skies one has the freedom to move more.
182
Saturation
if max < min then swap max and min
if input > max
output = max
elseif input < min
output = min
else
output = input
end
DAL1
Sample Time =DT
Dynamic Amplitude Limiter
Limited Out
Input
UL
LL
Safe
183
Rate Limiter
All physical systems have a rate limit. A car can go at
100 kmph when the accelerator is pressed fully down.
That is the velocity or rate limit.
In aerospace the aircraft surfaces can move at a finite
rate for a specific command. This is the system limit
which cannot be crossed.
It is dangerous to hit the surface rate limits. In case the
rate limits are hit the surface does not respond as
required by the control system and the aircraft can (and
has) crashed.
Rate limiter blocks are introduced in control systems to
avoid the commands causing a rate limit of surfaces.
184
Rate Limiter
During First frame: y = IC
During Normal Operation:
PosDelta =previous output +PosRate*T
NegDelta =previous output +NegRate*T
If (x>PosDelta) where x is input
y =posDelta
Else if (x<NegDelta)
y =negDelta
Else
y=x
Here NegRate (say -10 in/s) is the negative slew or rate
limit and PosRate is the positive rate limit (say 12 in/s)
RATEL
Rate Limiter
Sample Time =DT
Rate limited
Input
Rising Limit
Falling Limit
Init
Safe
185
1-D Interpolation
186
1-D Interpolation
Given a table of X and Y values and a value of x for
which y is required
Find the two values of X between which x lies
This give index i and index i+1
Find the slope s=Y(i+1)-Y(i)/((X(i+1)-X(i))
y = (x-X(i))*s + Y(i)
Normally extrapolation is not used in the safety critical
control systems. One can always extrapolate offline and
use them as additional values in the table
1-D Table
Y Axis Data =YT
1-D Look Up
Inter
Index
Fraction
Size
Safe
187
Uses of 1-D Interpolation
Normally 1-D Interpolation is called table lookup and is
used to modify the input/output relation
A linear actuator moves forward and backward measured in
inches. This is connected to the aircraft surface which move in
degrees. But there is a non linear relation from inches to degrees
then we use a 1-D lookup
A control gain has to change on how fast the vehicle is moving
then we will use a 1-D lookup
The pilot should move the surface very fast when he is close to
zero but he should move it slowly when he is greater than 10
degrees. Use 1-D to modify pilot command
188
2-D Interpolation
Altitude
1 Km 2 km 5 km 10 km
200 kmph 1.42 1.56 1.8 1.92
400 kmph 2.45 2.56 2.79 3.1
800 kmph 3.67 3.81 3.91 4.12
1000 kmph 4.78 4.90 5.2 5.2
189
2-D Interpolation
Given a table of X and Y values, a matrix Z of values.
Given a value of x and y compute z from the table
lookup.
Find the two values of X between which x lies
This gives index i and index i+1
Find the two values of Y between which y lies
This gives index j and index j+1
Compute y1 at x by using Y(i,j) and Y(i+1,j)
Compute y2 at x by using Y(i,j+1) and Y(i+1,j+1)
Compute z by using y1 and y2
Use 1-D interpolations for the computation
190
2-D Interpolation
Y(j)
Y(j+1)
X(i) X(i+1)
x
y1
y2
y z
191
2-D Demonstration
This is a demonstration of the 2-D Simulink and its
comparison with interp2 Matlab function
Subsystem
Table =A
Sampling Time =DT
2-D Table Ext Index
Inter
Index_X
DX
SizeX
Index_Y
DY
SizeY
Safe
PreLookup2
Sampling Time =DT
Look Up Table =YT
Pre-lookup Index Search
Index
Fraction
Size
Input
Safe
192
Integrators
Integrators are used in PID controllers
They are used a accumulators. If the pilot wants to fine
tune aircraft nose up or down command he uses a trim
button. The output of this button is integrated to generate
a up/down command. The more time the button is
pressed the higher the integrator output.
They are used to keep count of time. If a flag is set for
some time the integrator ramps up and if the value is
greater than some threshold one can latch a failure.
Integrators are used to make filters in the way an analog
filter is designed
193
Anti windup Integrators
Integrators can run away if a constant input is given. It
is possible for the output variable to have very large
values. This is called windup
This is not a very safe situation and integrator have a
limit on the state. This is called anti windup.
All integrators in a safety critical system have anti windup
INTEG 1
Sample Time = DT
Integrator
Out
Initial OP
Init
Input
UL
LL
Safe
194
Integrator - Euler
Inputs: x, IC
Output : y
During first frame : y=IC
During normal operation :
y(i) =y(i-1) +T*x(i),
where T =sample time.
Anti windup
If y(i) >poslim
y(i) =poslim
Elseif y(i) <neglim
y(i) =neglim
195
Integrator - Tustin
Inputs: x, IC
Output : y
During first frame : y=IC
During normal operation :
y(i) =y(i-1) +T/2*(x(i-1)+x(i))
where T =sample time.
196
Persistence
In safety critical systems it is very important to trap wire
cuts, sensor failures etc.
Persistence blocks check for such failures over a finite
period of time. If the failure exists for say 2 seconds the
output of the block is set to TRUE.
Normally a failure which persists for a long duration
causes a latched failure. A latched failure requires a
reset to clear
Some of the failures will cause a reset inhibited latch.
Such failures aircraft cannot be cleared when the aircraft
is in air. Only after the aircraft lands and the pilot gives
an on ground reset is the failure cleared.
197
Persistence
Inputs: IC, Input, DTOn , DTOff
Output: Out
If Init True: y =IC
During normal operation (Init =False):
if (input is TRUE and has remained TRUE for
DT ON frames)
Out =TRUE
elseif (input is FALSE and has remained
FALSE for DT OFF frames)
Out =FALSE
Else
Out =Previous frame value of Out
Subsystem
Out
Input
Init
Ic
Safe
198
WindowOn/Off
WindowOn/Off is a special type of persistence block
Instead of looking for a continuous failure (on or off state)
this block looks for a set of failures in a finite window size
E.g. if a failure occurs 4 times in a window of 20 frames a
failure is set.
These blocks form a part of the module called
redundancy manager. This is a must in all safety critical
systems where multiple sensors are continuously
monitored and failures and bad sensors are voted out
199
WindowOn
Initially output is False
Open a window (assign a array) of say 20 frames
(previous example)
This array represents a moving window
Input 1/0
Sum
1 0 0 1 0
200
WindowOn
Every frame the data in each cell is shifted right. The 1
st
cell has the fresh input data
The sum of all cells in window is computed
If the sum is greater than threshold (4 in previous
example) then the output is set to True
Note: 1 indicates On in WindowOn block and a Off in a
WindowOff block
201
Transient Free Switches
Every control system has a Transient free switch
somewhere. It is also called as fader logic.
These are used to fade from one signal to another over
time. In aircrafts the lowering of the landing gears cause
a change in the system behavior (change in
aerodynamics). This causes a change in the control
system and the commands to the surface. The smooth
transition between the two phases is brought by using
the TFS.
202
Transient Free Switch
If Event is True output = Sn for 1
If Event is False output = Sn for 0
If the Event changes state (T-> F or F->
T)
Compute difference between the output and
the switched signal
Compute the delta change per frame by
dividing this difference by the fade time in
frames
Add this delta difference every frame to the
output till it reaches the input signal
This works well for constants but has
problems with continuous signals
TFS
Sample Time =DT
Transient Free
Switch
Out
FadeTime
Trig
Sn for 1
Sn for 0
Event
Init
Safe
203
Transient Free Switch
If Event is True output = Sn for 1
If Event is False output = Sn for 0
If the Event changes state (T-> F or F-> T)
Fade a variable A from 1.0 to 0.0 over the fade time
If the fade is from True to False. Multiply the True Signal with A
and False signal by (1-A).
This causes the True signal to fade out and the False signal to
fade in
Add these two signals to get the output
Model Based Testing
What is the cause of most aviation
accidents:
Usually it is because someone
does too much too soon, followed
very quickly by too little too late.
Steve Wilson,
204
Model Based Test
An executable requirement of the control system is
available as a model
The C/Ada code for this requirement has been
developed and runs on a target platform
The idea of model based tests in a nutshell is to generate
a set of test cases which will generate a set of input
signals time histories. These inputs are injected into the
Model and simulated to get the outputs.
The same input signals are injected into the
corresponding compiled code inputs and the expected
outputs tapped out.
205
Model Based Test
If both Model and Code outputs match then we infer that
the code is as per the requirements.
The assumption for a complete test is that we have
generated the test cases which cover the Model
functionality 100%
The same set of test cases give 100% code coverage on
the target on an instrumented code build
The instrumented code output and non instrumented
code output match very well with the Model output.
Very well is defined beforehand based on the target
data, the input output quantization, etc
206
Schematic
Flight
Code
Model
Test
Cases
A frame based testing
Comparator
207
Testing Example
A small example is shown here. This was a missile
implementation which failed. The input is limited between
+20 and -20, filtered through a digital filter and the output
limited on the positive side.
Saturation Saturation
nz(z)
dz(z)
Discrete Filter
Limit Input to
20.0
10/(s+10)
Limit Output to +
9.5
208
Static Test
A set of constants are used to test the code
implementation against the model
Input Model Flight
0.0 0.0 0.0
-3.0 -3.0 -3.0
-25.0 -20.0 -20.0
3.0 3.0 3.0
25.0 9.5 9.5
The Flight code
and the Model
outputs match
exactly. Can we
pass a safety
critical system
with these tests?
209
Dynamic Test
A 10 Hz signal was injected into the system. The Flight
code and the Model match very well.
The Flight code
and the Model
outputs match
exactly. Can we
pass a safety
critical system
with these tests?
0 5 10 15 20 25 30 35 40
-20
-15
-10
-5
0
5
10
15
20
Time (sec)
M
a
g
n
i
t
u
d
e
Input
Flight
MODEL
10 Hz
Signal
210
Dynamic Test
A 0.1 Hz signal was injected into the system.
211
Dynamic Test
There is an error between the Flight code and the Model.
This is a significant error.
A high frequency test has
not excited all the blocks
completely as the filter is
reducing the higher
frequency signal. The
output limiter is not
exercised. Taking credit of
the static test does not
help.
212
Dynamic Test
nz = [5.882e-2 5.882e-2]; dz = [1.0 -8.823e-1];
Initialisation
O=inp , pinp=inp
Loop
o=nz(1)*inp+nz(2)*pinp-dz(2)*o
if o > 9.5
o = 9.5;
end if
End Loop
The state is limited and
used in the
computation. This is
because the code uses
the same variable name
o for the filter output
and the limiter output.
213
214
Control System Block Tests
215
Logical Blocks
IEEE Standard Graphic Symbols for Logic Functions
AND =TRUE if all inputs are TRUE
OR =TRUE if at least one input is TRUE
NAND =TRUE if at least one input is FALSE
NOR =TRUE when no inputs are TRUE
XOR =TRUE if an odd number of inputs are TRUE
NOT =TRUE if the input is FALSE
216
Logical Blocks
For a Safety Critical Application All Logical Blocks have
to be tested to ensure Modified Condition / Decision
Coverage (MC/DC)
The effect of the input signal on the block has to be
shown at a output which corresponds to a observable
variable in the code (a global variable)
The logical blocks are normally connected to a switch
and both TRUE and FALSE operations of the switch
have to demonstrated on the output.
217
MC/DC Example
A
B
C
D
A B C D
F F F F
F F T F
F T F F
F T T F 1
T F F F
T F T F 2
T T F F 3
T T T T 4
218
Exercise
Define the MC/DC Test cases for this Combination Logic
A
A
B
C
O
219
Answer
A B C A xor B NOT(A xor B) C' O
0 0 0 0 1 1 1
0 0 1 0 1 0 0
0 1 0 1 0 1 0 2
0 1 1 1 0 0 0
1 0 0 1 0 1 0 3
1 0 1 1 0 0 0
1 1 0 0 1 1 1 1
1 1 1 0 1 0 0 4
220
Beware of MC/DC
A B AND NOT(XOR)
0 0 0 1
0 1 0 0
1 0 0 0
1 1 1 1
221
222
Switch Blocks
A Switch Block mimics an IF statement in code
The Trigger or Event input in the centre causes the
output equal to one of the outputs
Trigger
223
Testing Switches
In a model based approach it is usually seen that the
path till the switch inputs is normally executed. This is not
so in the case of C Code. The programmer will normally
put a set of instructions inside the if-then-else logic.
As a result intermediate states may have different
values.
Solution: Use an If-Then-Else block OR code like the
model!
Take care while selecting inputs. It is possible that both
the inputs to the switch may be equal due to computation
in the path above. This will make the test confirmation
difficult.
224
225
Filters
Filters are dynamic elements of a control system. They
have a state and the output changes with time. They are
very important to a stability of a system.
The correct implementation in Code has to be
ascertained and demonstrated for Certification.
Type of filters used in the control system are typically
First order
Second order
Notch Filters
Washout
226
First Order Filters
First order are the simplest of the filters used to cut off
noise
In model based testing they can be easily tested by
giving a step change at the input of the filter
The first order filters are characterized by a time constant
and for a unit step input the value of the output is
approximately 0.632 at a time equal to the time constant.
This can be used to prove the correctness of the
response!
Normally the filter output and the filter states are
initialized to the input. This ensures that the filter output
is constant for a constant input!
227
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Syst em: sys
Ti me (sec): 0.1
Ampl it ude: 0.632
St ep Response
Ti me (sec)
A
m
p
l
i
t
u
d
e
Filter Response
1
0.1 S +1
228
Discussion
Do we require to test Models in this fashion always,
looking for a characteristic ? What is the use of Model
then !?
229
Second Order Filters
A standard Second Order
Filter defined in the S
domain will have a constant
in the numerator and a
second order term in the
denominator
The Second order filter is
characterized by Rise Time,
Peak Amplitude, Time at
Peak Amplitude and the
Settling Time to 2% of its
Steady State value
|
|
.
|
\
|
|
|
.
|
\
|

2
1
2
1
tan
1
1
n
Tr
2 2
2
2
n n
n
s X
Y

+ +
=
n
Ts
9 . 3
=
2
1

=
n
Tp
230
Step Response
Step Response
Time (sec)
A
m
p
l
i
t
u
d
e
0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8
0
0.2
0.4
0.6
0.8
1
1.2
1.4
System: sys
Peak amplitude: 1.37
Overshoot (%): 36.8
At time (sec): 0.314
System: sys
Rise Time (sec): 0.135
System: sys
Settling Time (sec): 1.12
231
Testing 2
nd
Order Filters
They are tested the same way as the first order filters
with a step response
The various parameters that characterize the filter are
confirmed
Second order filters are sensitive to initialization and the
first 3-4 frame values are very important. They can tell if
the filter has been implemented correctly
Normally states are all initialized to the input signal. This
in turn ensures that the filter output is constant for a
constant initial input
232
Discussion
The requirements document mentions that the filter shall
be implemented such that the output derivates are zero
for constant input. Why do they specify this?
233
234
Notch Filters
They are special 2
nd
Order
Filters characterized by a
different value of
numerator and
denominator damping
ratio
They have to be
prewarped for ensuring
correct frequency domain
characteristics
2
2
2
2
1
2
2
2
n n
n n
s
s
X
Y

+ +
+ +
=
235
236
Washout and Others
Washout filters are differentiating filters
The first frame output is normally initialized to 0.0. Why?
Lead Lag Filters, Complimentary Filters and others are
various implementation of first order filters
It is difficult to specify the exact value of the response to
verify the results
Ideally if the first order filter Model works for a first
order lag it will work very well for any other filter
also. This is the charm of Model Based Testing!
237
238
Scheduled Filters
These are first or second order filters which have time
varying coefficients
It is simpler to specify the filter coefficients in the S
Domain for these filters. A first order filter will have the
time constants varying with time
Testing these filters is easy in a Model Based Approach
First the filter is tested with constant coefficients. This
checks the algorithm
Then the filter is checked with time varying coefficients
Sine Sweep signals and sinusoidal waveforms can be
used to verify the filter performance
239
Functional Coverage
A large input at the filter input will completely cover the
algorithm
Add a few test cases to check the Initial Conditions. Both
True and False conditions of the Initial conditions should
be checked.
It is a good practice to have a non zero value at the filter
input in the first frame. This will ensure that in case
proper initialization is not happening then the response
will not match.
Avoid random excitations and very high frequency
signals. They may miss out certain aspects of the filter.
240
241
242
Integrators
These blocks form a major component of a control
system
Some digital filters are implemented using integrators
Integrators are used to minimize the errors in a PID
control system
They are used to indicate the amount of time a particular
button has been pressed. They can also indicate an up
and down direction of button press
Integrators have anti-windup limiters. Care should be
taken to see that this is implemented properly in code or
in Model.
243
Discussions
Are these two implementations same?
Signal Builder
Signal 1
Scope
Saturation
Discrete-Time
Integrator1
K Ts
z-1
Discrete-Time
Integrator
K Ts
z-1
244
Matlab Demonstration
245
Integrator Tests
Give constant inputs and hold them till saturation occurs
Hold the input for some more duration and reverse sign
(if possible)
This will test the algorithm and the limits
Check the other functionalities like Integrator Reset and
Initialization
A large amplitude low frequency sinusoidal waveform
also checks the functionality
246
Functional Coverage
The normal algorithm is tested with a constant input. The
integrator functionality is covered if from a zero value of
the output the + and saturation limits are hit.
It is important to test the integrator behavior when it
comes out of saturation.
There are instances where the integrator limits are
dynamically varying. In these cases the integrator should
be checked for at least 2 different values of the limits on
both sides.
The initial conditions and reset will be checked by giving
a reset for at least two different values of the output
247
248
Non Linear 1D Lookup
One Dimensional Lookup Table
These blocks are used to modify/shape the input in a particular manner.
They can be used as variable saturation limits
1D tables are characterized by an X-Y relation. The X-Y relation
could be continuous or with specified breakpoints
In control systems a linear interpolation is used to find the values in
between breakpoints.
There are instance when the breakpoints values change based on
certain conditions. A switch and two separate tables can be used in
such a situation.
249
1-D Lookup Example
X Y
-50 -25
-10 -25
-5 -10
-2 -5
3 6
6 8
15 10
20 12
50 12
-50 0 50
-25
-20
-15
-10
-5
0
5
10
15
X Values
Y

V
a
l
u
e
s
250
Testing 1-D Lookup
A very low frequency sinusoidal waveform with amplitude
varying beyond the X values can excite the table
completely
Another alternative is to use a slowly varying ramp signal
The complete functional coverage can be ensured if
there are input signal points
Beyond the X extreme values (e.g. -60, 60)
At least two points between each breakpoint
251
252
Non Linear 2D Lookup
Two Dimensional Lookup Table
These are normally used for gain tables in aircraft
controllers
They can be filter coefficients data also
The data is provided as a table with Row and Column
vectors
A Linear interpolation is used to find the in between
points
Higher dimension lookup tables are used in simulators
and air data systems in aerospace
253
2-D Lookup Example
Altitude
1 Km 2 km 5 km 10 km
200 kmph 1.42 1.56 1.8 1.92
400 kmph 2.45 2.56 2.79 3.1
800 kmph 3.67 3.81 3.91 4.12
1000 kmph 4.78 4.90 5.2 5.2
S
p
e
e
d
254
Testing 2-D Lookup
The coverage criteria is similar to the 1-D Lookup i.e. two
points between break points. In this case both X-Y have
to be considered
One of the axis either X or Y is kept constant and the
other input varied as a ramp or sinusoidal signal to scan
the values
Two sinusoidal signals with different frequencies or a
step waveform and a sinusoidal waveform can be
considered to obtain coverage
Certain tools like the V&V toolbox of Matlab can provide
coverage metrics automatically
255
256
Rate Limiters
Rate limiters limit the rate of the output
A step input results in a ramp output
There are variations in the rate limiter implementation
Symmetric Rate Limiters
Asymmetric Rate Limiters
Dynamic Rate Limiters
The limits are called Max and Min but they are not
exactly that One should specify the Positive Slew
Rate and Negative Slew Rate
257
258
259
Saturation
This is a simple amplitude limiter
There can be problems in an implementation of the
saturation also
Is it protected for a Safety Critical Application?
a=2;ul=5;ll=10;
if a >= ul
a=ul;
elseif a <= ll
a = ll;
end
What happens if the
Maximum Value, specified
or dynamically arrived at,
is Lower than the Lower
Limit?
260
261
Persistence
These blocks are used to check for failures and to
observe them over a period of time to see if they
persist. If they do then a failure is declared
There are various type of these blocks
Delay On/ Off
Delay OnOff (Together)
In Window On/Off/OnOff
262
263
Window On Off
This is a special type of persistence block
Can be used to detect loose contacts
A window is opened say for 10 frames whenever a failure
occurs
Every frame the input is checked and a counter
incremented for every failure observed in the window of
10 frames
If the number of failures exceeds limit (say 5) then the
output is set True
264
Testing Persistence
The normal operation is checked by setting the required
conditions as demonstrated
There should be sufficient cases to ensure that the input
toggles before the persistence time and after it also
Different combination of input toggling have to be used to
verify the functionality
This is a good candidate for Random Testing!
265
266
Latches
Latches are used to set a particular failure flag so that it
can be cleared only based on the reset
They would normally be used after the DelayOn/Off
blocks to set a failure
There are two type of latches
Set and Reset Priority based on what happens when the Set
Signal and the Reset Signal both are 1
Set Priority Latch_IC
SET *
RESET
IC
Q
267
268
Transient Free Switches
These switches (also called faders) fade from one input
to the other input linearly when the event toggles
Different system houses have a different logic to
implement this
Normally a special block would be made using the
Simulink library primitives to implement this block
TFS
TRIG
TR
T
F
DT
OUT
269
Transient Free Response
0 2 4 6 8 10
5
5.5
6
6.5
7
7.5
8
8.5
9
9.5
10
Ti m e (s e c )
M
a
g
Tr an s i e n t Fr e e Sw i t c h e s

Tr i g g e r
Ou t
Tr u e
Fal s e
270
Test Methods
271
Manual Tests
We require to prove a safety critical system to be correct
manually!
The low level test process calls for a tester to design test
case by injecting inputs at the system input point and
show its effect at each and every block output
This output has to be shown to be correct by hand
calculation or excel computations
The test artifacts, test cases, test procedures and results
are reviewed against a checklist. These have to kept
under Configuration Control to be produced for
Certification
272
Manual Test
The expected results are also generated using the
Simulink Blocks and stored in an Excel Sheet for review
The Code is injected with these signals using Code test
tools. These tools also produce the instrumented output
and coverage metrics
All the tools, models have to be qualified according to the
standards. The standards demand that the tool
determinism be proved and documented
This means lots and lots of work!
273
Automated Tests
A collection of Manual Test cases can be executed on
target in a batch mode
In such cases the pass/fail criteria have to be defined
beforehand
Normally test cases are executed on a simulator on the
PC and later cleared for execution on the board in an
automated manner
V&V groups have developed methods to automate the
execution which are proprietary to the company
However, all automated test case results have to be
reviewed or should be reviewable for Certification
274
Generating Automated Tests
Several tools are available or have been developed in
house by the V&V groups to generate test cases
automatically
This saves a lot of effort, but it is very important that if
the test cases and results (outputs) are not verifiable
(manually) then the tool has to be qualified
A lot of effort and money is spent in these automated
tools. Companies feel that it makes a business sense to
qualify the tool and use it than to make manual test
cases.
275
Random Test Cases
One of the methods used by the tools is to generate test
case randomly
The code/block coverage metrics are monitored for each
test case
A selection is done at the end of a set of test cases to
optimally select a subset of tests which give maximum
coverage
This has been successfully utilized to test the Mode
Transition Logic (MTL) for the Indian SARAS aircraft. A
set of 100 test cases generated randomly could cover
the complete MTL
276
Techniques for Random Tests
Control Systems cannot be checked by injecting random
signals as the filters consider these as noise and reject
them. One method is to inject sinusoidal waveforms with
their parameters Frequency, Amplitude, Bias and
Phase selected randomly.
Another method that can be used is to select these
parameters with a probability. 90% of the time the aircraft
does maneuvers in the frequency band 1-3 Hz. 10% of
the time it can do some high frequency large amplitude
maneuvers. We can select the input parameters to mimic
these realistic situations
277
Coverage Metrics
Random Tests rely on coverage metrics for selection
Block coverage has been discussed earlier. Simulink
gives the coverage metrics automatically. It is possible to
define coverage metrics for specialized blocks and
monitor them during test case generation.
It is very important to take in the code coverage metrics
also when generating test case
Test cases should give 100% coverage for functionality
and code. If not, these have to be justified as
unreachable and documented
278
279
Orthogonal Arrays
It is always possible to look at the test cases as
parameters to a process and the various amplitude as
levels.
Instead of looking at changing one parameter and
keeping the other constant, it is possible to look at pair
wise combinations
Orthogonal Arrays can be used successfully to reduce
test cases
A freeware software called allpairs has been used to
reduce test cases in the SARAS and LCA programs
while maintaining the rigor of testing
280
An L8 Array
An L8 array can be
used to test 7 input
parameters with two
levels each
The Two levels could
be True or False and
the 7 inputs to a logic
circuit
Any two rows show all
combinations of (1,1),
(1,2), (2,1) and (2,2)
281
Orthogonal Cases for SARAS
In the Indian SARAS program system tests were carried
out for Altitude, Speed, Autopilot Up/Down, Autopilot Soft
Ride On/Off cases
4 Altitude and 4 Speed cases had to be tested
Allpairs software was used to generate 13 test cases
for each autopilot mode
The Flight Envelope coverage was checked in a dynamic
situation and found to be adequate
The complete set of test cases was automated and
executed on the system test rig
282
Error Seeding
A technique of Error Seeding was used successfully to
design test cases for the LCA controller
The Model for the controller was seeded with errors for
the block under test
Only 1 error was introduced in a Delta Model
The efficacy of the test case to bring out this error was
determined by ensuring that the output error was very
much above the pass/fail threshold
A set of 400 odd cases were generated to test each and
every block in the Model by verifying on the Delta Model
LCA flies today without any safety critical CLAW errors!
283
Pass/Fail Threshold - Discussion
What should be the pass/fail threshold for an automated
test?
Altitude varies from 0 Km to 15 Km, and Mach Number
varies from 0 to 2. Can they have the same threshold for
pass/fail?
What is the best way to solve this issue?
Does the precision of my hardware effect this threshold?
Can I catch all errors if I keep a very low threshold? Will I
get spurious failures?
284
LCA Example
We have found that a good threshold is to use the
formula
If the |Output| signal is >1.0 then divide the error by the signal
If it is <=1.0 then take the computed error itself
We used a threshold of 0.0002 for the pass/fail and
found it to be adequate for our processor and precision
used
This has been reported in open literature so feel free to
use it!
285
Experiments with Models
286
Taguchi Design of Experiments
The Design of Experiments has been successfully used
to generate test cases
It is possible to generate optimal test cases using DOE
for Control Systems
We have taken a case study of an Airdata System and
successfully used DOE and Genetic Algorithm to
generate test cases
DOE was able to generate a single test case after 38
experiments
Genetic Algorithm did something similar bit it had to
execute 600 runs but who cares!
287
Some Tools To Experiment With
Matlab has a Verification and Validation Toolbox and a
Design verifier which can generate the test cases
automatically. It is a worthwhile exercise to get a demo
license from Mathworks and try out some experiments
Reactis is another tool that is worth exploring. A demo
license is available for evaluation
Simdiff is a useful tool that can point out the changes
made between the models. This can tell you what
component need be tested for recursion
288
Best Practices
289
To Err is Human
Initialization errors ALWAYS
Copy Paste Errors ALWAYS
Limited state bug discovered in 1995 in Nag missile
again in LCA (We always make the same mistakes)
Model also incorrectly implemented - what do we do!
Manual segments incorrectly implemented new
features (always)
Corrections asked after errors found incorrectly applied
Gain table data entry error
Index exceeding bounds during interpolation
Tustin Euler Confusion
290
Testing Tantras
Automate the complete process from DAY 1 test
generation, test execution, download, analysis, reporting
Analyze every case in the first build Painful but
essential. This gives you an insight into the working
Analyze failed cases and as you have the code, do a
debug to some level do not send error reports (test
case could be wrong!) [Pssst We face it regularly]
Have a configuration control mechanism for test cases,
reports, open/closed PRs
Develop a front end for the test activity eases the whole
process
291
Testing Mantras
Eyeball the Requirements and the Model. If allowed look
at the Model and Code (Make the tests based on the
Model). This first step will bring out lot of errors
Errors, like the bugs, are found at the same place
(behind the sink!). Try to search there first. You will get a
lead on the development guys. Smart Testing!
It is very useful if you have a systems guy close by. Lot
of issues get solved across the partition
Have tap out points in the model and code. They are
extremely useful in debugging especially in system level
tests
292
Last Words
Children are born true scientists. They spontaneously
experiment and experience and experience again. They
select, combine and test, seeking to find order in their
experiences: Which is the mostest? Which is the
leastest? They smell, taste, bite and touch-test for
hardness, softness, springiness, roughness,
smoothness, coldness, warmness: they heft, shake,
punch, squeeze, push, crush, rub and try to pull things
apart. R. Buckminster Fuller
Let us experiment with Model Based Testing there is
so much to experience here!
293
Contact Us
Yogananda J eppu
jyogananda@moog.com
Chethan C U
cchethan@moog.com
MOOG
Plot 1, 2 & 3, Electronic City
Hosur Road
Bangalore, India 560 100
294
References
295
References
RTCA, 1992, "Software Considerations in Airborne Systems and
Equipment", DO-178B, Requirements and Technical Concepts for
Aviation, Inc.
International Electrotechnical Commission, IEC 61508, Functional
Safety of Electrical/Electronic/Programmable Electronic Safety-
Related Systems, draft 61508-2 Ed 1.0, 1998
UK Ministry of Defense. Defense Standard 00-55: Requirements for
Safety Related Software in Defense Equipment, Issue 2, 1997
UK Ministry of Defense. Defense Standard 00-56: Safety
Management Requirements for Defense Systems, Issue 2, 1996
FAA System Safety Handbook, Appendix C: Related Readings in
Aviation System Safety, December 30, 2000
296
References
YV J eppu, CH Harichoudary, Wg Cdr BB Misra, Testing of Real Time Control
System: A Cost Effective Approach SAAT 2000, Advances in Aerospace
Technologies, Hyderabad, India
Y V J eppu, Dr K Karunakar, P S Subramanyam , A New Test Methodology to
Validate and Verify the Control Law on the Digital Flight Control Computer 3rd
Annual International Software Testing Conference 2001, Bangalore, India
YV J eppu, K Karunakar, PS Subramanyam, Flight Clearance of Safety Critical
Software using Non Real Time Testing, American Institute of Aeronautics and
Astronautics, ATIO, 2002, AIAA-2002-5821
YV. J eppu, K Karunakar and P.S. Subramanyam, "Testing Safety Critical Ada Code
Using Non Real Time Testing", Reliable Software Technologies ADA-Europe 2003,
edited by J ean-Pierre Rosen and A Strohmeier, Lecture Notes in Computer Science,
2655, pp 382-393.
S.K. Giri, Atit Mishra, YV J eppu, K Karunakar, A Randomized Test Approach to
Testing Safety Critical Code presented as a poster session at the International
Seminar on "100 Years Since 1st Powered Flight and Advances in Aerospace
Sciences", Dec 2003.
Sukant K. Giri, Atit Mishra, Yogananda V. J eppu and Kundapur Karunakar, "A
Randomized Test Approach to Testing Safety Critical Ada Code", Reliable Software
Technologies, Ada-Europe-2004, edited by Albert Liamosi and Alfred Strohmeier,
Lecture Notes in Computer Science, 3063, pp 190-199.
297
References
Rajalakshmi K, J eppu Y V, Karunakar K, Ensuring software quality -experiences of
testing Tejas airdata software. Defence Science J ournal 2006, 56(1), pp13-19.
Yogananda V. J eppu, K. Karunakar, Prakash R Apte Optimized Test Case
Generation Using Taguchi Design of Experiments, 7th AIAA Aviation Technology,
Integration and Operations Conference (ATIO), September 2007 (accepted for
publication)
Rohit J ain, Srikanth Gampa, Yogananda J eppu, Automatic Flight Control System For
The Saras Aircraft HTSL Technical Symposium, Bangalore, India, December 2008
Yogananda J eppu, Automatic Testing of Simulink Blocks using Orthogonal Arrays
2009 Engineering Conference, Moog Inc, 26 May 2009
YV J eppu, The Tantras and Mantras of Testing, Software Test and Performance
Magazine, Sep 2005, pp 39-43
Yogananda J eppu, Thou Shalt Experiment With Thy Software, Software Test and
Performance Magazine, J une 2007
Sukant K. Giri, Atit Mishra, Yogananda V. J eppu and Kundapur Karunakar Stress
Testing Control Law Code using Randomised NRT Testing 43rd American Institute of
Aeronautics and Astronautics, Aerospace Sciences Meeting and Exhibit, 10 - 13 J an
2005 - Reno, Nevada, AIAA 2005-1253
Yogananda J eppu and Ambalal Patel, Let Not Your Project Become a Tragedy of
Errors, Software Test & Performance magazine, J anuary 2008

Model Based Development&Testing Matlab PDF

Uploaded by

Model Based Development&Testing Matlab PDF

Uploaded by

Yogananda Jeppu, Chethan CU Workshop at MIT Manipal Jan 2013

Model Based Development & Testing

r=rand(2,2,2,2) multidimensional array

Simulink with variable time step gives output as different

You might also like